search

5.Automated Testing

In this lab we will see how security can be tested as well.

Mike Cohn has defined the well-known testing pyramid.

TestingPyramid Testing Pyramid

Just like any other business or technical facing test we can also test security on each layer of the pyramid.

If you want to dive deeper in practical testing please check out the Practical Test Pyramidarrow-up-right article by Martin Fowler.

hashtag
Unit Tests

We start with a simple unit test (using also mocking) to verify the correct functionality of our implementation of the UserDetailsService interface of Spring Security: The class LibraryUserDetailsService as class under test (cut).

package com.example.libraryserver.security;

import com.example.libraryserver.user.data.User;
import com.example.libraryserver.user.service.UserService;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

import java.util.Collections;
import java.util.Optional;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;

@DisplayName("Verify UserDetailsService")
@ExtendWith(MockitoExtension.class)
class LibraryUserDetailsServiceTest {

  @Mock private UserService userService;

  @InjectMocks private LibraryUserDetailsService cut;

  @DisplayName("can load existing user")
  @Test
  void loadUserByUsername() {
    given(userService.findOneByEmail(any()))
        .willReturn(
            Optional.of(
                new User(
                    "Hans", "Test", "test@example.com", "secret", Collections.singleton("USER"))));
    UserDetails userDetails = cut.loadUserByUsername("test@example.com");
    assertThat(userDetails).isNotNull().isInstanceOf(AuthenticatedUser.class);
  }

  @DisplayName("reports expected error when user does not exist")
  @Test
  void loadUserByUsernameNotFound() {
    given(userService.findOneByEmail(any())).willReturn(Optional.empty());
    assertThatExceptionOfType(UsernameNotFoundException.class)
        .isThrownBy(() -> cut.loadUserByUsername("test@example.com"))
        .withMessage("No user found for test@example.com")
        .withNoCause();
  }

  @DisplayName("can update password for existing user")
  @Test
  void updatePassword() {
    User user =
        new User("Hans", "Test", "test@example.com", "secret", Collections.singleton("USER"));
    UserDetails userDetails = new AuthenticatedUser(user);

    given(userService.findOneByEmail(any())).willReturn(Optional.of(user));
    given(userService.save(any()))
        .willReturn(
            new User(
                "Hans", "Test", "test@example.com", "newpassword", Collections.singleton("USER")));

    UserDetails result = cut.updatePassword(userDetails, "newpassword");
    assertThat(result)
        .isNotNull()
        .isInstanceOf(AuthenticatedUser.class)
        .extracting(UserDetails::getPassword)
        .isEqualTo("newpassword");
  }

  @DisplayName("reports expected error when password could not be updated")
  @Test
  void updatePasswordUsernameNotFound() {
    User user =
        new User("Hans", "Test", "test@example.com", "secret", Collections.singleton("USER"));
    UserDetails userDetails = new AuthenticatedUser(user);

    given(userService.findOneByEmail(any())).willReturn(Optional.empty());
    assertThatExceptionOfType(UsernameNotFoundException.class)
        .isThrownBy(() -> cut.updatePassword(userDetails, "newpassword"))
        .withMessage("No user found for test@example.com")
        .withNoCause();
  }
}

LibraryUserDetailsServiceTest.java

Here we have to test especially the two operations of loading a user and updating a user's password to use a better password encoding algorithm.

This test uses:

Important: Always add negative test cases as well (i.e. what happens if no user has been found)!!

hashtag
Integration Tests

The next level are integration tests. Typical integration tests combine several classes and/or run inside a container like for example Spring.

hashtag
Testing Password Policies

We start with a very scoped integration test for verifying that the defined password policy is enforced as expected by the PasswordValidationService class.

Here we also verify the positive standard use cases and the negative ones as well. We could have done this test as a unit test as well but the PasswordValidationService is not well designed for unit testing as it requires calling a @PostConstruct method by the Spring lifecycle.

Practices like Test Driven Design (TDD) and Refactoring improve code design by specifying e.g. a unit test first and then writing just enough production code to make this test run green. This way we can achieve much better code design and architecture.

hashtag
Testing Authentication/Authorization for User on Web layer

Now we advance to authentication and authorization tests. First we do the tests on web layer (the Rest API) for users.

UserRestControllerIntegrationTest.java

Important part is here to configure spring security test filters for the Spring MVC tests in the setup operation by adding the apply(springSecurity()) code part.

For testing the authentication we just specify a user name with corresponding roles and verify if authentication works:

In addition to testing for authentication/authorization we can also test the CSRF protection by using

Important again here again is to test for negative cases as well, e.g. for missing authentication or CSRF token.

hashtag
Testing Authorization for BookService on Method layer

Spring Security also supports fine-grained testing of your authorization permission model. For this the annotation @WithMockUser is used to simulate a user with roles on method layer like in the BookServiceAuthorizationIntegrationTest:

BookServiceAuthorizationIntegrationTest.java

Here we also use positive and negative tests as JUnit5 nested and parameterized tests and the annotation @WithMockUser(roles = "LIBRARY_CURATOR").

hashtag
Actuator Security

Please don't forget to test the security of the Spring Boot Actuator as well. The actuator can provide very sensitive information like environment variables containing credentials or even an endpoint to shutdown the application.

Therefore it is important to add an ActuatorIntegrationTest:

ActuatorIntegrationTest.java

There a even more tests in the reference solution in lab5/library-server-complete.

hashtag
Dynamic Security Testing (DAST)

A developer should change roles from time to time and become an Ethical Hacker (an attacker just testing the own applications and not for illegal purposes).

You can use tools like:

All these tools act like a proxy between the client (the web browser) and the application. OWASP Zap and BurpSuite Professional also include automated scanners (passive/active) for typical security attacks like SQL Injections or XSS.

WARNING: The active scanners of OWASP Zap and BurpSuite should only be used on web sites you have explicitly permission for as these do perform real attacks on these web sites and can cause critical damage if security issues are found. So do NOT use it e.g. on google.de etc.!!!!

Finally both tools also have a fuzzing feature, so you can throw all kinds of data into all places for data input (like url paths, body data, etc.). This is not only useful for security tests but also good for testing error handling of your Rest API.

OWASPZap OWASP Zap

Burp BurpSuite Professional

Previous4.AuthorizationNext6.Kubernetes Security

Last updated